Marriott Data Breach: Protect Your Meeting Attendees

A security breach at Marriott's Starwood-branded hotels may have exposed the personal information—and possibly payment-card information—of as many as 500 million guests worldwide. Affected hotel brands include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, Le Méridien and Four Points.

While the unauthorized access had been discovered by Marriott on Sept. 8, 2018, details of the hotel security breach were not announced by Marriott until Friday, Nov. 30, 2018, following an investigation. The company said it would soon begin following up with customers whose information was impacted.

News that the personal information of up to 500 million Starwood guests may have been compromised is sure to send a chill down the spines of meeting planners and the organizations they work for.

“We deeply regret this incident happened,” Sorenson said in the written public statement from Marriott. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

“Today, Marriott is reaffirming our commitment to our guests around the world,” he continued. “We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

While it's impossible to completely safeguard yourself and attendees against data breaches, especially those involving stays at major hotels, there are some general best practices that planners can follow to prevent cybersecurity calamities, such as the Marriott data breach, at their own meetings and events.

To protect credit card data, consider the following cybersecurity measures:

Be careful about how you collect and give credit card information and consider using paper for on-site registration forms. Though realize paper registration forms also come with risk!

More tips for shoring up your cybersecurity at meetings and events are available here.

Meanwhile, Marriott said it has taken the following steps to help guests monitor and protect their information and also suggested some other helpful advice for those who fear their data is at risk.

Dedicated Website and Call Center for Marriott Guests

We have established a dedicated website (info.starwoodhotels.com) and call center to answer questions you may have about this incident. The frequently-asked questions on the dedicated website may be supplemented from time to time. The call center is open seven days a week and is available in multiple languages.

Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year.

WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.

Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries.

Guests from the United States who activate WebWatcher will also be provided fraud consultation services and reimbursement coverage for free. To activate WebWatcher, visit info.starwoodhotels.com.

Additionally, according to credit and loan management website Credit Sesame, consumers should take the following five steps if they have been a victim of identity theft in order to prevent further damage:

Action Item No. 1: Contact Any Institution Directly Affected

If you know your credit card was stolen, report the theft to the credit card issuer. If your checkbook or debit card was stolen, contact your bank. For this step it’s really helpful if you’ve prepared a list of institutions and phone numbers in advance. Don’t write down account numbers, PINs or passwords—that would be just one more way for a thief to gain access to your personal information. But know what you’ve got.

Keep a list of what’s in your wallet, along with the contact information for each item.

The best place to keep this list is on an encrypted secure online file storage site.

The FTC will provide you with information about what to do next, depending on the type of fraud.

Action Item No. 3: File a Police Report

To complete the Identity Theft Report, you’ll need to contact your local law enforcement office and report the theft. Be sure to get a copy of the police report and/or the report number. Both your police report and the FTC Identity Theft Affidavit combine to create your Identity Theft Report.

Your Identity Theft Report will help you when working with the credit reporting agencies or any other entities the identity thief may have contacted to open accounts in your name.

If you have reason to believe the identity thief may have submitted a fraudulent change-of-address to the post office or has used the U.S. mail to commit the fraud against you, contact the Postal Inspection Service, which is the law enforcement and security branch of the post office.

No matter how much planners prepare, data breaches are bound to happen in our increasingly digitized world. However, it’s still important that meeting planners establish duty of care protocols to protect attendees.

About the Author

Tyler Davidson has covered the travel trade for nearly 25 years. In his current role with Meetings Today, Tyler leads the editorial team on its mission to provide the best meetings content in the industry.